While everyone freaks out over passwords to millions of Twitter accounts floating around, the hijacking of yet another high-profile account shows that hackers don't necessarily need your password. Activist and former mayoral candidate Deray Mckesson was the latest to have his account taken over, with an attacker deciding to claim Deray supports Donald Trump. According to Mckesson, this happened even though the hacker didn't have his password, and he had two-factor authentication turned on for his account. In this case, the hacker went a step further, by hijacking his phone number with the help of Verizon customer service.
Today I learned that it is rather easy for someone to call the provider & change your SIM. The hacker got the account verification texts.
— deray mckesson (@deray) June 10, 2016
As detailed in a series of tweets, this morning someone called Verizon posing as Mckesson and apparently armed with the last four digits of his social security number. This person changed the registered SIM on his account to one they controlled, redirecting and SMS to their phone instead of his. After that, they just triggered a password reset on Twitter and waited for the authorization code to come in.
While @Deray was able to recover his account with Twitter's help (it's good to be friends with @Jack), for the normal user it might not be as easy. Unfortunately, even with extra security in place like this, social engineering of various types can still put your information at risk. Hackers used a similar message to take control of developer Grant Blakeman's Instagram page in 2014, and accessed a Gmail account for the CEO of Cloudflare in 2012 by redirecting his AT&T voicemail. Wired writer Mat Honan had his accounts and devices taken over when a hacker convinced Amazon to give up the last four digits of his credit card number, then used that information to get a new password for his Apple iCloud account.
So what else can you do to protect yourself? Unfortunately, many services still use SMS or phone calls to perform the second bit of authentication (using a one-time password powered by apps like Google's Authenticator removes your phone number from the equation), and when it comes to telephone and cable providers they largely don't support two-factor at all. Instead, they by default will verify account info over the phone using the SSN, as seen in this case, which is all too easily found by hackers.
Buzzfeed points out a recommendation recently published by the FCC's CTO: The major mobile carriers will allow you to set your own password that's required for account access. Sprint requires a PIN at account setup, Verizon can set up a four-digit billing password, T-Mobile will set up a customer care password if you ask, and AT&T lets you set one up via its app. Your internet service provider probably has a similar option, but you may have to request it there also.